[PATCH 1/1] udf: UBUNTU: SAUCE (drop after 2.6.30): Fix oops when invalid character in filename occurs

Tim Gardner tim.gardner at canonical.com
Fri Mar 20 02:05:57 UTC 2009 

Stefan Bader wrote:
> From: Jan Kara <jack at suse.cz>
> 
> Bug: #321606
> 
> Not upstream, yet. Queued to linux-next
> 
> udf: Fix oops when invalid character in filename occurs
> 
> Functions udf_CS0toNLS() and udf_NLStoCS0() didn't count with the fact that
> NLS can return negative length when invalid character is given to it for
> conversion. Thus interesting things could happen (such as overwriting random
> memory with the rest of filename). Add appropriate checks.
> 
> Signed-off-by: Jan Kara <jack at suse.cz>
> Signed-off-by: Stefan.Bader <stefan.bader at canonical.com>
> ---
>  fs/udf/unicode.c |   21 ++++++++++++++++-----
>  1 files changed, 16 insertions(+), 5 deletions(-)
> 
> diff --git a/fs/udf/unicode.c b/fs/udf/unicode.c
> index 9fdf8c9..7215153 100644
> --- a/fs/udf/unicode.c
> +++ b/fs/udf/unicode.c
> @@ -254,7 +254,7 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o,
>  {
>  	const uint8_t *ocu;
>  	uint8_t cmp_id, ocu_len;
> -	int i;
> +	int i, len;
>  
>  
>  	ocu_len = ocu_i->u_len;
> @@ -279,8 +279,13 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o,
>  		if (cmp_id == 16)
>  			c = (c << 8) | ocu[i++];
>  
> -		utf_o->u_len += nls->uni2char(c, &utf_o->u_name[utf_o->u_len],
> -					      UDF_NAME_LEN - utf_o->u_len);
> +		len = nls->uni2char(c, &utf_o->u_name[utf_o->u_len],
> +				    UDF_NAME_LEN - utf_o->u_len);
> +		/* Valid character? */
> +		if (len >= 0)
> +			utf_o->u_len += len;
> +		else
> +			utf_o->u_name[utf_o->u_len++] = '?';
>  	}
>  	utf_o->u_cmpID = 8;
>  
> @@ -290,7 +295,8 @@ static int udf_CS0toNLS(struct nls_table *nls, struct ustr *utf_o,
>  static int udf_NLStoCS0(struct nls_table *nls, dstring *ocu, struct ustr *uni,
>  			int length)
>  {
> -	unsigned len, i, max_val;
> +	int len;
> +	unsigned i, max_val;
>  	uint16_t uni_char;
>  	int u_len;
>  
> @@ -302,8 +308,13 @@ try_again:
>  	u_len = 0U;
>  	for (i = 0U; i < uni->u_len; i++) {
>  		len = nls->char2uni(&uni->u_name[i], uni->u_len - i, &uni_char);
> -		if (len <= 0)
> +		if (!len)
>  			continue;
> +		/* Invalid character, deal with it */
> +		if (len < 0) {
> +			len = 1;
> +			uni_char = '?';
> +		}
>  
>  		if (uni_char > max_val) {
>  			max_val = 0xffffU;

ACK - why don't you think it'll make the 2.6.30 merge window?

-- 
Tim Gardner tim.gardner at canonical.com

More information about the kernel-team mailing list